HIPAA Compliance Audits: OCR Transmits Pre-Screening Surveys

According to a recent article in Lexology, the Department of Health and Human Services’ Office for Civil Rights has started transmitting pre-screening surveys to HIPAA-covered entities signaling the start of the long awaited second round of HIPAA compliance audits. However, the OCR has yet to post a notice on its website to that effect.

OCR Prepares for the Second Phase of Compliance Audits


The OCR previously placed a notice in the Federal Register stating its intention to send out pre-audit screening questionnaires to up to 1200 covered entities and their Business Associates last year, allowing organizations to be contacted to assess their suitability for audit.

The OCR must ensure that a representative sample of covered entities are audited, including both large and small healthcare providers, healthcare clearinghouses, insurers, health plans as well as Business Associates of covered entities. The audits must also be geographically representative, covering the whole of the United States. According to the OCRs Susan McAndrew, the screening questionnaires are to “assess the size, complexity, and fitness of a respondent for an audit.”

The Office for Civil Rights is required to conduct compliance audits under the Health Information Technology for Economic and Clinical Health Act (HITECH). The pilot phase of the compliance audits took place between 2011 and 2012, with the second phase scheduled for the autumn of 2014. The audit pre-screening questionnaires were not sent last year, as the OCR needed to make some important updates to its breach reporting portal to make the process of collecting documentation from covered entities a more fluid and less labor-intensive process.

Earlier this year, the OCR indicated that the audits would not be taking place in the first half of the year, as the audit protocol had yet to be finalized. The focus of phase 2 of the HIPAA compliance audits will be different from the pilot round, which took a broad look at compliance with HIPAA rules. A new audit protocol was therefore required.

For the next phase, the audits will be conducted in modules on the Breach Notification Rule, Security Rule and Privacy Rule. Many organizations will be selected for an audit on just one module, although a full compliance audit on all three is a possibility.

Penalties for HIPAA Violations


Auditors will be looking for organizations that have adopted a number of best practices to ensure the Protected Health Information of patients and plan members is safeguarded. Auditors will try to identify vulnerabilities that have not been addressed, as well as determine which aspects of HIPAA, if any, covered entities are struggling to implement.

The audits give the OCR a much more accurate picture of the general state of compliance with Privacy, Security and Breach Notification Rules, and help the department to produce new guidance to assist covered entities.

The aim of the audits is not to find HIPAA violators, although if irregularities are discovered it is likely to result in a full compliance review being arranged and financial penalties will be issued if any severe HIPAA violations are uncovered.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.